Dear valued Palo Alto Networks customers,
Palo Alto Networks firewalls communicate with Panorama managers and Panorama log collectors over a secure channel. For Panorama versions prior to PAN-OS 8.0, the signing CA certificate will expire on Friday, June 16, 2017. This certificate is used to issue the server certificate on Panorama and log collectors, and authenticate communication between the firewalls and Panorama. After the signing CA certificate expires, the firewalls will no longer be able to authenticate the connection with Panorama, which will cause the communication with Panorama to fail.
To mitigate this issue, one of the following actions must be taken before Friday, June 16, 2017:
Option 1: Upgrade software on Panorama and all log collectors to the maintenance releases listed below:
Option 2: Update the content on Panorama and all log collectors to content version 700 or later:
The content update will need to be applied to the Panorama management server and all Panorama log collectors before the June 16, 2017 expiration date. The Panorama server and the log collectors will then have to be rebooted for the certificate to take effect. Upon successfully installing the content update, a critical severity system log will be generated and indicate that the Panorama server certificate has been extended.
Palo Alto Networks firewalls, WF-500 devices, and M-500 appliances running in PAN-DB mode are not affected by this issue and do not require software or content updates.
IMPORTANT NOTE: Please do not install software versions 7.1.9, 8.0.0 or 8.0.1 on Panorama or log collectors after Friday, June 16, 2017. Doing so will replace the CA certificate on your Panorama or log collectors, causing firewall communications to fail. We plan to remove these releases (PAN-OS 7.1.9, 8.0.0 or 8.0.1 for Panorama) from our update server during the week of May 29, 2017. For more details, please see the below FAQ.
Thank you in advance for your understanding. We sincerely apologize for any inconvenience this may cause. We have taken steps, including implementing additional oversight measures, to prevent this issue from recurring in the future. Should you have any questions, please don’t hesitate to reach out to your support provider or the Palo Alto Networks Support Team at https://support.paloaltonetworks.com.
Palo Alto Networks
Q: What is the exact time of the certificate expiration?
Q: Do I need to upgrade or update content on my firewalls?
Q: Does this certificate expiration affect all instances of Panorama managers and log collectors?
Q: What would happen if I didn’t upgrade software or update content on my Panorama by Friday, June 16, 2017?
Q: What is the difference between the content-based fix and the software-based fix?
Q: When should I use the software upgrade vs. the content-based fix to resolve the issue?
If you are transitioning off older releases that are end-of-life or will be end-of-life by June 16, 2017 (Panorama versions 5.0, 5.1, 6.0), we recommend utilizing the content-based fix.
Q: How do I check whether the Panorama server certificate has been successfully extended or upgraded?
Q: What does a sample system log look like?
The log is a critical severity log that is generated after the installation of content and when the extension of the CA certificate is done. This log will be generated for each log collector that is forwarding logs to Panorama and for the Panorama appliance itself. Check the “Device Name” column for the source of the system log. The text of the log is:
“Panorama CA certificate extended until April 2027 via content. Please reboot Panorama/log collector for the certificate to be used. Without reboot of Panorama/log collector, firewalls will not connect after June 16, 2017. Additional information in content release notes.”
Q: Can I have a mix of the Panorama server with the software upgrade and the log collectors with the content fix?
Q: Do I need to re-install content if I upgrade or downgrade to another version of Panorama?
Q: After the June 16 expiration date, what happens when a cold spare or new device connects to Panorama?
Q: I have multiple log collectors in a log collector group. What are the best practices associated with preventing CA certificate-related communication failures on my log collection infrastructure after June 16, 2017?
Q: I am running an HA pair of Panoramas. Do I need to apply the fix to both Panorama servers?
Q: I tried to apply the content-based fix but had to revert to a previous version of content. When I reboot my Panorama/log collector, I noticed that I had applied the new certificate. Is this expected?
Q: If am running Panorama version 6.0, 5.1, or 5.0 with my firewalls running PAN-OS version 5.0 or 6.0, is there a different procedure I need to follow to mitigate the issue?